Ransomware Examples: Top 15 Notable Cases (2024 Update)

Ransomware Examples

Ransomware attacks can cause a lot of damage and are not always easy to spot right away. If you want to learn how ransomware has evolved over time, here are some of the most well-known Ransomware examples.

AIDS Trojan

The AIDS Trojan is one of the earliest examples of ransomware. It was sent out on floppy disks with the title “AIDS Information Introductory Diskette”—showing how old it is! After it infected a computer, it waited until the computer had been restarted 90 times. Then, the Trojan activated, encrypted the names of the files, and demanded $189 to “unlock” the software.

CryptoLocker

After the AIDS Trojan, hackers tried different methods. Some just pretended to lock a device, hoping the scared user would pay anyway. Others locked the device but pretended to be law enforcement, demanding fines. But in 2013, CryptoLocker appeared, bringing a new level of ransomware.

CryptoLocker was the first to use both RSA and AES encryption. It spread through emails and a network of infected computers, encrypting files with keys kept on the hackers’ servers. The criminals demanded payment by a deadline, threatening to destroy the key if the ransom was not paid. Typically, the ransom amount increased after the deadline.

In two years, CryptoLocker made about $3 million, mainly from individuals and small businesses. Authorities eventually shut down the network and retrieved the decryption keys. However, the success of CryptoLocker led to many copycat attacks.

WannaCry

Seen first in 2017, WannaCry exploited security holes in outdated Windows systems to spread a file-encrypting virus. It used an exploit called EternalBlue, which was believed to have been developed by the U.S. National Security Agency (NSA) and leaked by the hacker group The Shadow Brokers. This allowed WannaCry to spread without needing users to open emails or click on links.

WannaCry affected over 300,000 devices in 150 countries, mostly in healthcare and utility companies. It demanded payments of $300-$600 in Bitcoin. Although the payment demands were relatively low, the total damage was in the millions. Authorities managed to stop the attack, and two North Korean hackers were identified as the culprits. WannaCry shows the importance of regularly updating systems to prevent such attacks.

NotPetya

NotPetya, a later version of the Petya attack, started in Germany in 2016. While Petya targeted businesses for financial gain, NotPetya mainly attacked Ukrainian businesses and infrastructure, causing widespread damage.

Unlike Petya, which sought ransom payments, NotPetya acted more like wiper malware. It destroyed systems without intending to collect ransom.

Cerber

Cerber was one of the first ransomware types to work as a business model called ransomware as a service (RaaS). This means ransomware creators lease their malware to other criminals for a share of the earnings.

Cerber started spreading in 2016 and helped attackers make around $200,000 that year. It often targeted Microsoft Office users in post-Soviet countries. Cerber went dormant for a while but resurfaced in 2019, 2020, and 2023.

Cerber spreads through phishing emails and features a unique voice message—where the ransom note is read out loud to the victim.

GandCrab

GandCrab was one of the most aggressive RaaS operations. From 2018 to 2019, it infected over 1.5 million machines, targeting hospitals, dental practices, and individuals.

It spread through emails, exploit kits, and phishing. The group demanded ransoms from a few hundred to several thousand US dollars, usually paid in cryptocurrencies like Bitcoin or Dash.

In 2019, after claiming to have made over $2 billion, the GandCrab group released a decryption tool and announced they were shutting down. However, many members likely joined other groups like REvil.

Ryuk

Ryuk has been active since 2018 and spreads through phishing emails with malicious Microsoft Office attachments. It gained attention in 2018 when it attacked several U.S. newspapers. Ryuk also targets governments, schools, healthcare organizations, and other public and private sector entities.

It is estimated that Ryuk has made over $150 million for cybercriminals since it started. This ransomware is still active today.

Maze

Maze ransomware became famous in 2019 for using a double extortion model. This means criminals encrypt and steal data. If the ransom is not paid, they will decrypt some information and publish it online to force the victim to pay.

Maze spread through spam emails, RDP attacks, and exploit kits. Its most high-profile attack was against the IT service provider Cognizant in 2020, causing around $60 million in damage. Maze claimed it stopped operations at the end of 2020, but members likely joined other groups like Egregor.

REvil

REvil ransomware appeared in 2019 and quickly became one of the most advanced operations. It spread through phishing emails with malicious attachments or links. REvil used double extortion tactics, encrypting data and threatening to leak sensitive information unless paid. It was also offered as RaaS.

Notable REvil targets include Lady Gaga, a law firm associated with Donald Trump, Acer, Apple, Kaseya, and HX5, a space and defense contractor. REvil demanded millions in ransom, adjusting amounts based on the victim’s ability to pay. For instance, JBS Foods, a major U.S. meat processing company, paid an $11 million ransom in 2021 to unlock its data.

LockBit

By 2022, LockBit 3.0, or LockBit Black, became one of the most used ransomware types. It targets large organizations and government bodies by exploiting network security weaknesses. Ransom demands are usually in the millions. For example, in October 2023, LockBit demanded $200 million from Boeing after accessing their internal data. When Boeing refused to pay, the attackers leaked 43 GB of data.

LockBit has attacked over 1,700 organizations, including UK Royal Mail and the city of Oakland. A notable feature of LockBit 3.0 is its bug bounty program, where hackers offered money for identifying and reporting bugs in their ransomware code.

DarkSide

DarkSide ransomware, similar to REvil, gained fame for attacking the Colonial Pipeline in May 2021, disrupting fuel supply on the U.S. East Coast. The situation was so severe that the hackers even apologized for causing problems. To regain control of the pipeline, executives paid $4.4 million. DarkSide also targeted companies like Toshiba and Brenntag. In mid-2021, the group announced it was suspending operations due to pressure from the U.S. government.

Conti

For two years during the Covid-19 pandemic, Conti was a major ransomware group. It was known for targeting healthcare organizations like Ireland’s Health Service Executive (HSE). Like many ransomware groups in the early 2020s, Conti used a RaaS model and double extortion tactics.

In early 2022, internal communications from Conti were leaked, revealing details about their operations and helping law enforcement shut them down.

Egregor

Egregor is a double extortion ransomware that attacked companies like Barnes & Noble, Kmart, and video game developers Ubisoft and Crytek. It spread by using stolen credentials, hacking remote access systems, and phishing scams.

Ransom demands ranged from $100,000 to $35 million. Fortunately, coordinated efforts between France and Ukraine led to the arrest of several Egregor affiliates in 2021, and the group’s infrastructure was taken offline soon after.

WhisperGate

WhisperGate emerged in early 2022 as destructive malware, mainly targeting Ukrainian organizations. Although it appeared to be ransomware by locking devices and displaying a ransom message, it was actually wiper malware. It was designed to corrupt and destroy files, regardless of ransom payment. WhisperGate is likely part of a state-sponsored campaign linked to Russia’s planned invasion of Ukraine.

BlackMatter

BlackMatter, likely a successor to DarkSide, appeared in mid-2021. It targeted critical infrastructure, including agriculture and energy sectors. BlackMatter was linked to attacks on major companies, including an agricultural cooperative in the U.S., with ransom demands in the millions. Law enforcement shut down BlackMatter before the year ended.

Hive

The Hive ransomware group gained notoriety in 2022 after attacking the Costa Rican Social Security Fund. Hive infiltrates systems via RDP, phishing, and exploiting security weaknesses. It also uses triple extortion, which means, in addition to stealing and threatening to release data, they contact the victim’s partners to pressure them into paying the ransom.

Hive has breached over 1,300 companies worldwide, receiving around $100 million in ransom payments. It targets various businesses, including IT and critical infrastructure sectors, with a focus on healthcare.

Types of Ransomware

There are two main types of ransomware:

1. Locker Ransomware: This locks your system, making it impossible to unlock or reboot the device. The victim only sees a ransom message, which often tries to scare them into paying.
2. Crypto Ransomware: This encrypts your files rather than locking the entire device. Crypto ransomware is more common than locker ransomware because it allows users to still use their devices for some functions while dealing with the ransom message and paying through cryptocurrency.

Other Related Terms

• Scareware: This does not lock or encrypt anything but tricks users into believing their computer is infected.
• Extortionware (Leakware or Doxware): This threatens to leak your data unless you pay a ransom.
• Wiper Malware: This does not demand a ransom. Instead, it destroys as much of the victim’s system as possible.